Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Notesnook note-taking app allows malicious tweets to steal user data
CVE-2026-31876
Summary
Notesnook users who embedded tweets in their notes may have been at risk of having their data stolen. The issue is now fixed in version 3.3.9. We recommend updating to the latest version to ensure security.
Original title
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering ...
Original description
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-supplied URL directly into an HTML string without escaping, which was then assigned to the srcdoc attribute of an <iframe>. This vulnerability is fixed in 3.3.9.
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026